Transcript
A (0:02)
You're listening to the Cyberwire network. Powered by N2K.
B (0:14)
The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at We've got your patch Tuesday Update A data leak sheds light on North Korean apt Kim Suki Apple introduces memory integrity enforcement Ransomware payments have dropped sharply in the education sector this year, a top NCS official warns ICS security lags behind and a senator calls US cybersecurity a hellscape. A Ukrainian national faces federal charges and an $11 million bounty for allegedly running multiple ransomware operations. Our guest is Jake Braun sharing the latest on Project Franklin and Hufi makes WI Fi a new spy It's Wednesday, September 10, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. Yesterday was Patch Tuesday. Microsoft issued fixes for 86 vulnerabilities across Windows and its products. Several of these carry a likely exploitation label and among them are two publicly disclosed zero day flaws, including the especially serious one which enables SMB relay attacks and privilege escalation, though mitigations like server signing and extended protection for authentication can help shield systems. Adobe also released patches addressing nearly two dozen vulnerabilities across nine products, including critical flaws in cold fusion and commerce in the industrial space. Rockwell Automation led the ICS patch Tuesday with eight high security advisories, joined by updates from Siemens, Schneider Electric and Phoenix Contact. Finally, Fortinet, Avanti and Nvidia rolled out security updates tackling high severity issues that risk remote code execution, privilege escalation, data exposure and configuration tampering. A new analysis of a 9 gigabyte leaked data set has shed light on North Korean Apt Kimsukee, also known as Apt 43. The data reveals development of interactive malware, a Linux rootkit and phishing infrastructure, along with reconnaissance via OCR commands and logs tied to compromised Taiwanese government and academic IPs. Researchers also linked the group's operations to Chinese support targeting South Korea and Taiwan with GPKI and credential theft campaigns. Experts recommend monitoring NASAM artifacts, OCR tool use, phishing domains and PAM SSH logs for signs of intrusion. Apple has introduced memory integrity enforcement in its new iPhone 17 and iPhone Air running iOS 26. The always on security feature is designed to protect against advanced spyware attacks that exploit memory safety flaws, a common tactic of mercenary spyware vendors. These firms, while claiming to serve governments, often sell tools to authoritarian regimes targeting journalists, activists and dissidents. Mie leverages ARM's advanced memory tagging extension, secure memory allocators and strict confidentiality enforcement to defend the kernel, Safari and messages. Apple reports that MIE disrupts exploit chains early, leaving attackers with limited options and fragile strategies. Ivan Kirstick, Apple's head of security engineering, said MIE will raise costs for spyware developers and reshape memory safety defenses. Meanwhile, Google unveiled advanced protection mode for Android users. Chilly Hell is a sophisticated modular backdoor targeting macOS active since 2021 yet largely undetected by antivirus tools. First noted in a private Mandiant report, the malware resurfaced this year when JAMF Threat Labs uncovered a notarized sample hosted on Dropbox. Written in C, it masquerades as a legitimate app but functions as a stealthy implant, profiling systems, enumerating users and persisting via launch agents, launch daemons, or shell profile injection. It uses time stomping to mask activity and supports DNS and HTTP C2 channels. Chile Hel's modular design allows attackers to deploy reverse shells, update itself, load payloads and brute force local accounts. Its persistence, flexibility and developer side notarization highlights growing sophistication in macOS threats. Jamf researchers stress this case as proof that Apple's notarization checks, while helpful, aren't infallible and that macOS users face increasingly Windows like levels of adversary attention. A new report from Sophos shows ransomware demands and payments have dropped sharply in the education sector in 2025, reflecting stronger defenses and faster recovery. Average ransom demands fell 74% in lower education and 80% in higher education, with payments plummeting 88 and 90%, respectively. Recovery costs also declined dramatically. Institutions are also recovering faster, over half restored operations within a week, compared to just 30% in 2024. Encryption success rates hit a four year low. Only 29% of lower education incidents and 58% in higher education resulted in data encryption. Improved detection meant most attacks were stopped before the damage occurred. Phishing was the leading cause in lower education, while vulnerability exploitation dominated in higher education. Researchers note attackers may now favor smaller, quicker payouts over large ransom demands. At this week's Billington Cybersecurity Summit, Alexei Bolezel, the top cyber official at the National Security Council, warned that US Critical infrastructure lags far behind modern smartphones in security technology. He highlighted the energy sector, which relies heavily on SCADA systems, as particularly vulnerable to disruptions like power outages. Bolezel argued that if infrastructure systems had protections comparable to iPhones or Android devices, only the most advanced threat actors could penetrate them. As a White House policymaker, he stressed that raising the technical baseline would eliminate many security challenges. While the Trump administration supports offensive cyber operations, Bolezel emphasized a stronger focus on defensive strategies and secure by design principles. He echoed National Cyber Director Sean Cairncross in urging a shift from viewing organizations as victims to holding adversaries accountable, noting that hackers are intentional actors, not natural disasters. Meanwhile, at a Washington, D.C. event held by Politico, Senator Angus King warned that U.S. cybersecurity is a hellscape made worse by government cuts. Citing staff reductions at the State Department, justice department and especially CISAW, which he said has lost 30% of its workforce and key leaders, King argued the US is unilaterally disarming as cyberattacks on infrastructure and businesses. Surgeon and criticized the elimination of CISA's public private partnerships office. DHS official David Harvlich pushed back, saying simply hiring more staff isn't the solution and praised new leadership appointments. Ukrainian national Volodymyr Timoshuk, age 28, faces federal charges and an $11 million bounty for allegedly running the Locker Goga Megacortex and Nephilim ransomware operations, which caused an estimated $18 billion in global damages. Prosecutors say he targeted over 250 U.S. companies and hundreds more worldwide, including Norsk Hydro's 2019 attack, which disrupted 35,000 employees across 40 countries and cost $81 million. Timoshuk allegedly used tools like Cobalt Strike, Metasploit and stolen credentials to infiltrate networks often lying dormant before deploying ransomware. He faces seven counts, including computer fraud and extortion, and could receive life imprisonment if convicted. Nephilim, his later operation followed an affiliate model targeting large firms with revenues above $100 million while Timoshuk remains at large. One of his affiliates, Artem Stryk, was extradited to the US back in April 20. Coming up after the break, our guest Jake Braun shares the latest on Project Franklin and Hoofi makes WI Fi a new spy Stick around Compliance regulations, third party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com CYBER.